Re: [jboss-dev-forums] [JBoss Microcontainer Development] - Testing jboss-reflect with a SecurityManager enabled
by Adrian Brock
Adrian Brock [http://community.jboss.org/people/adrian%40jboss.org] replied to the discussion
"Testing jboss-reflect with a SecurityManager enabled"
To view the discussion, visit: http://community.jboss.org/message/534062#534062
--------------------------------------------------------------
> Kabir Khan wrote:
>
> This has been committed against https://jira.jboss.org/jira/browse/JBREFLECT-109 https://jira.jboss.org/jira/browse/JBREFLECT-109.
>
> I did not need the extra permissions in ContainerTestPlugin, all that was needed was a IntrospectionEnumTestCase.properties:
>
> test.Permission.0=java.lang.RuntimePermission, accessClassInPackage.sun.reflect.annotation
>
>
>
>
> Without that I got this
>
>
>
> java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.reflect.annotation)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:327)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
> at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:398)
> at java.lang.Class.forName0(Native Method)
> at java.lang.Class.forName(Class.java:247)
> at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:604)
> <snip/>
>
> at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
> at java.util.HashMap.readObject(HashMap.java:1030)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:974)
> at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1849)
> at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
> at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
> at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1947)
> at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1871)
> at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
> at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
> at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
> at org.jboss.test.AbstractTestCase.deserialize(AbstractTestCase.java:352)
> at org.jboss.test.classinfo.test.AbstractClassInfoTest.access$0(AbstractClassInfoTest.java:1)
> at org.jboss.test.classinfo.test.AbstractClassInfoTest$1.run(AbstractClassInfoTest.java:100)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.jboss.test.classinfo.test.AbstractClassInfoTest.testBasics(AbstractClassInfoTest.java:96)
> at org.jboss.test.classinfo.test.ClassInfoEnumTest.testEnum(ClassInfoEnumTest.java:71)
> at org.jboss.test.classinfo.test.ClassInfoEnumTest.testEnumFieldAnnotation(ClassInfoEnumTest.java:64)
That actually looks like a bug to me.
We are assuming that the annotations cached in InheritableAnnotationsHolder can be Serialized, but
there's no guarantee in the spec that Annotations are Serializable.
It just so happens that the ones Sun implements are, but it obviously fails to Serialize them if you have a
SecurityManager enabled due to the package restriction.
In a different JDK they might not even be Serializable.
More correctly we should reget the annotations during the readObject() processing rather than serializing them,
or probably, just let the the state revert back to UNKNOWN_ANNOTATIONS_*.
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/534062#534062]
Start a new discussion in JBoss Microcontainer Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&cont...]
14 years, 1 month
Re: [jboss-dev-forums] [JBoss Microcontainer Development] - Testing jboss-reflect with a SecurityManager enabled
by Kabir Khan
Kabir Khan [http://community.jboss.org/people/kabir.khan%40jboss.com] replied to the discussion
"Testing jboss-reflect with a SecurityManager enabled"
To view the discussion, visit: http://community.jboss.org/message/534053#534053
--------------------------------------------------------------
This has been committed against https://jira.jboss.org/jira/browse/JBREFLECT-109 https://jira.jboss.org/jira/browse/JBREFLECT-109.
I did not need the extra permissions in ContainerTestPlugin, all that was needed was a IntrospectionEnumTestCase.properties:
test.Permission.0=java.lang.RuntimePermission, accessClassInPackage.sun.reflect.annotation
Without that I got this
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.reflect.annotation)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:327)
at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:398)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:247)
at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:604)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1575)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1496)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1732)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1947)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1871)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1947)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1871)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
at java.util.HashMap.readObject(HashMap.java:1030)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:974)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1849)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1947)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1871)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
at java.util.HashMap.readObject(HashMap.java:1030)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:974)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1849)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1947)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1871)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
at org.jboss.test.AbstractTestCase.deserialize(AbstractTestCase.java:352)
at org.jboss.test.classinfo.test.AbstractClassInfoTest.access$0(AbstractClassInfoTest.java:1)
at org.jboss.test.classinfo.test.AbstractClassInfoTest$1.run(AbstractClassInfoTest.java:100)
at java.security.AccessController.doPrivileged(Native Method)
at org.jboss.test.classinfo.test.AbstractClassInfoTest.testBasics(AbstractClassInfoTest.java:96)
at org.jboss.test.classinfo.test.ClassInfoEnumTest.testEnum(ClassInfoEnumTest.java:71)
at org.jboss.test.classinfo.test.ClassInfoEnumTest.testEnumFieldAnnotation(ClassInfoEnumTest.java:64)
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/534053#534053]
Start a new discussion in JBoss Microcontainer Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&cont...]
14 years, 1 month
[JBoss Microcontainer Development] - Testing jboss-reflect with a SecurityManager enabled
by Kabir Khan
Kabir Khan [http://community.jboss.org/people/kabir.khan%40jboss.com] created the discussion
"Testing jboss-reflect with a SecurityManager enabled"
To view the discussion, visit: http://community.jboss.org/message/534031#534031
--------------------------------------------------------------
I am enabling security for jboss-reflect and going through and adding privileged blocks where needed. Currently I am using this test policy plugin
public class ContainerTestPolicyPlugin extends TestsPolicyPlugin
{
public ContainerTestPolicyPlugin(Class<?> clazz)
{
super(clazz);
}
public PermissionCollection getPermissions(CodeSource codesource)
{
PermissionCollection collection = super.getPermissions(codesource);
collection.add(new RuntimePermission("accessDeclaredMembers"));
collection.add(new RuntimePermission("getClassloader"));
collection.add(new RuntimePermission("accessClassInPackage.sun.reflect"));
return collection;
}
}
Once I'm done I'll see about adding property files for individual tests, or I might just leave this in?
Anyway, the problem I am having is for the following tests:
* BeanInfoUtilTestCase - which seems to assume that it will ALWAYS be able to set/get fields whether they are public or private.
* Field-/MethodAccessRestrictionTestCase - which seems to assume that it can set/get private fields when there is no security manager, but not when there is one.
>From what I can work out BeanInfoUtilTestCase was not written with a security manager enabled, so I will modify BeanInfoUtilTestCase to override the delegate so it will never use a security manager no matter what ContainerTest.getDelegate() does.
The next problem is the Javassist version of the Field-/MethodAccessRestrictionTestCase. These fail since the javassist generated accessors (from JBREFLECT-6) are able to access private members, due to inheriting from sun.reflect.MagicAccessorImpl, so we don't get the expected exceptions when calling private members with a security manager enabled. My plan there is to modify JavassistFieldInfo and JavassistMethodInfo to throw an exception if an attempt is made to access them if they are not public and there is a security manager present.
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/534031#534031]
Start a new discussion in JBoss Microcontainer Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&cont...]
14 years, 1 month